An unknown ELF sample was found generating Elknot botnet related network traffic. It was found to be a Trojan-Downloader which utilizes “SHC (Shell script compiler)” technique and propagates through weak SSH credentials. The author appeared to be an old player Icnanker who leaves his QQ number and name in his codes. Icnanker is the first Linux malware family we observed that uses SHC. Icnanker is divided into 2 categories according to their functions:
Downloader is mainly used to facilitate DDos and Mining attacks. Currently its samples include Elknot Botnet, Xor Botnet and XMRMiner. On Icnanker-related HFS servers, we can see that the current download volume is at 20,114, and about 500 increment per day.
Protector is used to protect samples from being deleted. It is currently used to protect Mining service.
Icnanker comes with the following capabilities.